What The Heck Is Penetration Testing And How Does It Work?

This week the founders talk about security, and what the process was like to have penetration testing done for Honeybadger. They also talk about why they don't offer bug bounties and Josh explains what a Whirly Board is.

Show Notes:
Links:
Whirly Board
OWASP Top Ten
Detectify
Kolide
WWIV
Trade Wars
Security Researcher Hall of Fame

Full Transcript:
Josh:
Yeah. It's called a Whirly Board and it's a local... Well, not local. It's a US small business apparently that makes them. I forget where they're located. Not in Washington. It's like a skateboard. There's I've seen other balance boards that are made for standing desks, but none of them have the... This has also side... You can balance on the edges of it as well so you can rock back and forth between the outer edges and balance.

Starr:
Oh, that's really cool.

Josh:
Apparently you can do a tricks. You can 360.

Starr:
Of course you can.

Josh:
And... Yeah. You can ollie.

Starr:
So I was imagining literally a skateboard on top of an exercise ball where if you lost your balance it would just fly out from underneath you.

Josh:
Yeah. This is not... One of the big exercise balls?

Starr:
Yeah. Yeah, exactly. One of the big ones.

Josh:
No.

Starr:
You probably wouldn't have enough ceiling in your room to... The ceiling wouldn't be high enough to-

Josh:
Yeah. It would not be. Yeah.

Starr:
Well, that's cool. So that's supposed to work out your core or something or give you a better balance?

Josh:
Yeah, I think all of the above. I more just got it to give myself something to do while I'm standing. It's kind of fun. It's a sport you can do while working at your desk.

Starr:
Oh, that's cool. Sometimes at my standing desk I find that I'm fine. I find that I'm standing, but I'm standing in this very rigid way. And I have to remind myself to not do that. So maybe that would help.

Josh:
This definitely stops you from doing that. You have to... And I think this one is very... It's not stable at all so it's probably on the more unstable end of the options out there.

Starr:
I was trying to work that into a sick burn against, I don't know, Node or something, but-

Josh:
Put it in there somewhere.

Starr:
... couldn't do it in time. I'm a little bit tired. Feeling a little bit tired. So on Thursday... Wait. Yeah, Thursday I took the day off and drove down to San Francisco. It was a 13 hour drive. And then I had a-

Josh:
Pretty good time?

Starr:
Yeah. I had appointment, came back the next day and another 13 hour drive. I didn't really sleep very well. I mean, honestly, it wasn't as bad as I thought it would be. It was very long, but I've done that before. It's about the same distance from the bottom of Texas to Guadalajara, which I've driven several times.

Josh:
Yeah. It's not too bad.

Starr:
It's boring and you feel like mush. You feel like oatmeal after the end of it, but...

Josh:
Yeah. Get a good audio book or podcast or something.

Starr:
Yeah.

Josh:
I mean, our podcast doesn't work well for long road trips because our episodes are 30 minutes.

Starr:
I just binged our own podcast the whole way down there. I just binged it. It's so bingeable.

Josh:
So you binged on the way down, and then you binged it again on the way back?

Starr:
Yeah. So my biggest travel tip that I... Something I did different this time. It really probably only works. I mean, maybe you could swing this if you're flying. The reason I drove instead of just taking an easy one hour flight is that I don't want to die. And that seemed to be the less lethal option at this point. So I was able to take my yoga mat. I don't do really complex yoga, but just having this ability to stretch after I arrive at a place after driving many hours and, I feel much less pretzelified than I normally would after a trip like that.

Josh:
That's a good idea.

Starr:
Yeah.

Josh:
Did you go down by The Golden Gate Bridge and just out on the beach and stretch at dawn, do some yoga at dawn on the waterfront?

Starr:
I'll let you imagine that. Yeah. That's a great image. I'll let all of our listeners imagine that, that I have that kind of life.

Josh:
Yeah.

Starr:
That sounds wonderful.

Josh:
Yeah. I've done that drive more times than I probably should have.

Starr:
Do you all mind if I cross promote my Insta on here? I'm just kidding. I don't have an Insta.

Josh:
You're a lifestyle influencer?

Starr:
Yeah.

Josh:
Yeah.

Starr:
So yeah. What are we talking about today? 

Ben:
I was just thinking about security in the context of our compliance work, which thankfully is just about wrapped up. I checked on the auditor portal this morning and all of the evidences have been accepted.

Josh:
Yay.

Ben:
So now I think it's just getting the final report written is the only thing left for them to do. So I'm pretty excited about that.

Josh:
You knocked those out fast, Ben.

Ben:
Well, it only took, what, several months of preparation to get to that point.

Starr:
Fast.

Josh:
Yeah, the last couple of weeks it seems like you're like, yeah, they gave me another list of 40 things that we have to do. And I'll maybe get to them over the next couple of months. And then a whole week of doing things, and then it's ready.

Starr:
You posted a screenshot and it was all gameified. It looked like Xbox achievements or something.

Josh:
Oh, right. Are you going for HIPAA now?

Ben:
Oh man. I so want to. You have to envision this since you're listening to this podcast, but imagine a dashboard that shows you circle charts for completion. What we're working on, and what we've been working on, the compliance is SOC2. And on our dashboard for the auditor's tool, their web based tool they use to track all this stuff, there is a little circle chart that shows you what your completion is towards your goal of getting SOC2 compliance. Well, next to that chart are other charts that show you what your progression is towards other compliance games that you could use, like HIPAA or ISO 27001. And it's totally game mechanics, psychological kind of thing, where they're like, "Hey, look how close you are to this other thing that you could also do and spend a lot more money and time to get compliance certified for." And it just made me twitch because I'm totally a sucker for that sort of thing. I'm like, oh, I could get that, and I could get that. Yeah, it's been rough. I have to resist the urge to double down and do HIPAA and other things like that.

Josh:
Yeah. Does SOC affect... If a medical business needed to use us that needed something... I don't know. Does it help us at all in the medical field, or do we need to go for HIPAA if we're going to deal with that?

Ben:
HIPAA, like SOC, there's not a checklist of things. It's a bunch of guidelines, and-

Josh:
Yeah.

Ben:
There's a bunch of guidelines, and you need to assure an auditor, and your customers, that you adhere to certain practices and procedures that make you a secure organization. So there is a lot of overlap. So, for example, that percentage goal thing that they showed in the dashboard. When it was showing SOC2 is 87% completed, it was showing HIPAA at 82% complete.

Josh:
Yeah.

Ben:
So there is a lot of overlap there.

Josh:
Okay.

Ben:
But the way that, typically, I think we will handle that, instead of just going for a full HIPAA certification for an auditor is we'll just sign the business associate agreements that HIPAA compliant customers want to use, in which we assure them that, yes, we're doing those things. But yeah. We can definitely point-

Josh:
Gotcha.

Ben:
... at the SOC2 report and say, "Yep. Our auditor says we're doing stuff that makes us secure so you can trust us." Yeah.

Josh:
Right. And having the SOC2 would probably add weight to our statements of-

Ben:
Right.

Josh:
... we're complying with other things.

Ben:
Yeah. Yeah. It's not just the pinky square kind of thing. It's, "This is legit. This is verified." Yeah.

Josh:
Right.

Ben:
It's kind of funny because a couple weeks ago, I was looking at using a new vendor. And as part of our compliance now, we have to go and make sure that our vendors are also following security best practices. And that means I have to get some sort of report or attestation from them. And so I sent an inquiry to a potential vendor, and said, "Hey, can you send me a SOC2 report? Or can you send me some sort of attestation?"

Ben:
And they're like, "Sure." And they sent me a bunch of their policies. I'm like, "Oh yeah. I recognize these policies. Because these are some that I wrote." And then my next thought was, "But how do I know that you're following these policies?" It's just kind of silly.

Josh:
Yeah. We're like on the other side of this now. Because now you've been going to try to make sure our vendors are complying with the things that we need to comply with, and they're giving you the run around. Right?

Ben:
Right. Yep. Yeah. It's been great.

Ben:
The shoe is on the other foot.

Starr:
The funny thing about all this, I feel, based on my limited understanding, is that like corporate regulation by the government, and the punishments that companies get, and people inside of companies get for white collar crime, malpractice malfeasant stuff is so just BS and just, yeah. Basically companies never get punished for doing anything wrong. We're creating these huge chains of liability. And then at the end of the day, not for us, we would probably get screwed if we got sued by somebody. We're not like Exxon, but yeah. If Exxon or Facebook or somebody gets sued by somebody, nothing really bad is going to happen to them as a result.

Josh:
Yeah.

Starr:
So I don't know.

Josh:
If you can tolerate the lawsuit, you probably don't care.

Starr:
Yeah, exactly.

Ben:
So one of the fun things that came out of the compliance work, though, was security testing. So one of the things that they asked for is, "Have you done a penetration test in the past year?" And prior to this, we had not done a penetration test primarily because they're darn expensive. Really, really expensive. But it turns out that it was a really interesting exercise. So we contacted a firm who has experience with testing Rails applications in particular. Again, this is the first time I had gone through it. So I was surprised, too. As we were onboarding with them, they gave us some options on what kind of testing we would like to have. And one of the options was just plain old they have no information. They're just going in blind, and try and mess up your system.

Ben:
But another option that I hadn't really considered before was they can get access to your code ahead of time. And they'll do a deep dive review of your code and look for vulnerabilities, and then use that information to inform their testing. So more of a targeted kind of thing, and allows them to optimize the time spent on engagement. And so we went with that option. And it was, it was really good. I was, well, pleasantly surprised that we did not have a significant list of issues to deal with. We did have some, and some that I was like, "Oh yeah. I could see that." And some I was like, "Wow! Where'd that come from? That's out of left field."

Ben:
So it was really useful for me to have that. And after having fixed a few of those things, now, I'm like, "Oh, I'm feeling pretty good."

Josh:
Feeling secure.

Ben:
Feeling secure. But it didn't... Go ahead.

Josh:
I was just going to say, we we've gotten some of the outside vulnerability testing and scanning for free a little bit. Or for the price of a bounty here and there.

Ben:
Yeah.

Starr:
I like the freelance people.

Josh:
We didn't ask for it. But yeah, I'm sure that helped a little bit. Because we've fixed a few things that people reported over the years. And...

Ben:
Yeah.

Starr:
Maybe I should explain about this because this was all a surprise to me whenever this started happening. So I imagine it might be a surprise to listeners who don't know-

Josh:
You mean when you get big enough to attract the attention of security researchers?

Starr:
Yeah. Yeah. I don't know. I guess they have their lists or something. And you get put on a list of SaaS companies or whatever, and then-

Josh:
Someone gives out your phone number.

Starr:
... Yeah. Somebody gives out your phone number. Then suddenly, you have thousands of people from all over the world trying to break into your site, and usually they use these automated tools that spit out automated reports. And you can tell that nobody's really spent significant time in this. And you'll get these emails from their automated systems, which are like, "Oh, you need to do this. Or blah, blah, blah." And sometimes they're valid things. A lot of times they're like, "Oh, okay. I guess you're technically right. But that's not really-

Josh:
It's reaching.

Starr:
... "practically an issue." And they ask for money. Basically, they ask for tips. They're like buskers, aren't they? They're like security buskers.

Josh:
The buskers of the tech industry.

Ben:
Yeah. I totally remember the first few we got of those, and people were like, "So do you pay bounties for bug reports?" We're like, "No."

Ben:
Why would we do that?

Ben:
And I totally felt like, "Is that a threat?"

Starr:
Oh yeah!

Ben:
But it's really not. After having dealt with several of these, it's really not. There are plenty of bug bounty programs out there that do pay anywhere from tip money up to really big money.

Josh:
Yeah. Pretty well.

Ben:
And yeah. They're just looking for, in our case, because we always tell people, "No, we don't do bug bounties." But they still like to get the recognition. And so they'll ask for an acknowledgement on our website, which we do. And they also ask for a tee shirt, or some sort of swag, which we were happy to do.

Josh:
I think that's kind of cool. It's kind of like a frontier of the industry. You go into it. You're not necessarily going to get anything out of it. You have to be good enough. And if you discover the right bug, you might strike it rich.

Ben:
Right.

Starr:
It does have very cyber punk feels to it.

Josh:
Yeah.

Starr:
I think.

Josh:
You might die of dysentery along the way, but...

Starr:
Yeah. It makes sense to me that we all felt a little bit threatened by it because all the security stuff, like the bug bounty people, just came in one giant wave. And none of us expected it. And we're all just scrambling and being like, "What's happening? I don't know."

Josh:
Yeah. Yeah. I think we got listed on one of their sites or something. Because there're sites that list companies, like on bounty programs and things. I don't know how we would have made it on one of those. But I assume, since it all came at once, we must have gotten listed somewhere.

Starr:
Yeah. I may have mentioned this before on the podcast, but we are also now on a list of companies that buy content.

Josh:
Yeah.

Starr:
So we get spammed by every single person selling any kind of content online, whether or not it has anything to do with us or our business. And yeah.

Ben:
But thankfully, Help Scout has automated rules so that we can filter all those messages directly to Starr.

Starr:
Yeah. They just all come straight to me. It's wonderful. And I just send them straight to spam. I've considered just sending them straight to spam because you know what? In our write for us page, it doesn't say to contact Honeybadger support. It says to contact a different email address. And if you're contacting Honeybadger support, you clearly are using a scraped thing. Because you just scraped the support email address from somewhere else on the website.

Josh:
Yeah.

Starr:
It's not in the right press page.

Ben:
Well, it's-

Josh:
Yeah.

Starr:
Yeah, I don't know.

Ben:
It's even better when they use email addresses from our documentation that just happen to be the names from the Princess Bride characters. And it's like, "Oh, you emailed us at Inigo@Honeybadger. Yeah. I happen to know where you got that email address."

Josh:
Yeah.

Starr:
That's really clever. I didn't know that. I didn't know there was a schema there.

Ben:
Oh yeah. Totally.

Starr:
That's so fun.

Josh:
Ben's got a schema for everything.

Ben:
I love how the security researchers are doing it for street cred a lot of time. So what they'll do is-

Josh:
Yeah.

Ben:
... they'll get your swag. And when they receive it in the mail, then they'll post a picture of it to Twitter and brag to all their friends like, "Hey, I got this thing from Honeybadger because I found this vulnerability." I just think that's awesome.

Josh:
It's a total glory for glory and honor thing.

Ben:
Yeah. Yeah. Like I'm not going to pay you for a bug report, but I'll happily send you a shirt so you can brag about it.

Josh:
Yeah.

Ben:
But-

Starr:
Should we pay people? I don't know.

Josh:
We do give them swag and stuff.

Ben:
Yeah. I think there's rationale for that. And I think it makes sense. So I'm not going to say it's something that you shouldn't do. But as a small business, it's kind of tough to justify what's the right price. And then you get into the incentive thing, and yeah. It's just-

Josh:
Yeah.

Ben:
... kind of hairy question.

Starr:
Yeah.

Josh:
I think the recognition, at least, we have a security page where we list them. At least a nice thing to do if you're small.

Starr:
I wonder if we did start paying people, if we would start getting so many more people trying to find bugs, and submitting bugs and stuff, that we would just be overwhelmed by spam. I mean, not really spam, but by all these things that we don't really ... There aren't really that, I don't know, people just trying to make a buck.

Ben:
Yeah. I think that's one of the weak areas too, because like you mentioned, they don't report things. It's just like, "Ah, okay. I can see technically that's true, but we just don't care." It's not a big deal. And it would be nice if we had a won't-fix listing. Right? Like, "Okay, just don't even bother submitting a report, because we've gotten this report five times, and we just don't care about that particular thing." Right?

Josh:
We could put that on our security page.

Starr:
Yeah, because hashtag won't fix. Hashtag won't fix.security messaging?

Josh:
Yeah.

Starr:
Yeah, I should make it clear-

Josh:
It's like guidelines.

Starr:
... we don't, if we didn't care about something, it's because it doesn't really have an effect on our user. It's not because we're just negligent.

Josh:
Yeah.

Ben:
Well, yeah. And back to the penetration test, there are different severities of issues, right? There are critical issues, there are high-priority, then medium, and low, and then just information. Right? And so, the things that we consider a won't-fix, are either informational or low. Some low things just don't matter.

Josh:
Yeah.

Ben:
But if anyone files a critical, of course we're going to hop on that right away and fix it.

Josh:
Yeah. For example, the one that I thought of when I mentioned that we had a bit of a head start, thanks to the security researchers, is I didn't ... One of the things I raised really early on was a brute-force issue on our login page.

Ben:
Yeah.

Josh:
Where if you don't throttle requests to your login page, people can just basically submit it over and over. And maybe your password-hashing algorithm, I think there's some cryptography stuff that can limit those attacks a little bit, but still, you want to throttle requests to that page. Right?

Ben:
For sure.

Josh:
I think I noticed that that was something that pen testers checked for, and we passed on. So we would have had to deal with that, if that were an issue.

Ben:
Yeah, another favorite one that we have changed over time as a result of a number of reports from security researchers are things around email addresses and confirmations. Like someone said, "Oh, if you change your email address in the app, then it should notify you at the old email address, and at the new email address to confirm that you actually want to make that change." And it's like, "Oh, yeah, that's a totally reasonable thing," and so we went ahead and did that.

Ben:
It's definitely useful to have these people out there doing that for basically the cost of a T-shirt, that's ... I mean, it's real nice.

Josh:
Yeah, especially at the price tag of a ... paying people to do it, apparently.

Ben:
Yeah, because a penetration test for the real deal is definitely much more expensive than a T-shirt.

Starr:
And what order of magnitude are we talking? What's a rough range? We don't say exactly how much, I don't even know if we can say how much we paid, but-

Josh:
Yeah. I mean, I don't care sharing-

Starr:
... tens of thousands, hundreds of thousands, millions? Do we pay millions of dollars?

Josh:
A revenue share? A revenue share deal?

Starr:
Yeah.

Ben:
It's less than $100,000, in our case.

Starr:
Okay.

Josh:
Are my kids going to be able to go to college till then? Well, actually, maybe not, for other reasons, but ...

Ben:
Like I said, I am really glad that we had that done. I think there were three issues. One of them was just like, "Okay, you have to have the insider knowledge to exploit this." But if you had that insider knowledge, then you could be really nasty. It was high, but okay, it's mitigated. We fixed it anyway. But two of them were like, "Oh, wow, that's really a thing."

Ben:
And I'm actually surprised that no one in all their testing has found one of those. One of them was a cross-site scripting issue, which was embedded in our markdown parser. So thank you, Starr, for giving me the quick fix on that. But basically, we had neglected to use one option flag to the renderer that turned off basically cross-site scripting. It was like, "Oh, we should probably just make that the default, right?"

Josh:
It's not the default?

Ben:
It's not the default.

Starr:
No. And I didn't know this, but in markdown, if you use a redcarpet markdown rendering gem, you can put JavaScript links in there, instead of the URL, you can put, "JavaScript;" and then whatever your JavaScript is.

Josh:
Sounds like a-

Starr:
And it'll-

Josh:
... nice, great feature.

Starr:
I know, it's that's just ... You want your authors to be able to have that capability for markdown, that's what you want. So I don't know, I guess the lesson is for ... Yeah, for markdown, always use the most ... Always just turn on safe links, or whatever it's called, I don't know.

Josh:
Well, except in JavaScript plan where that is becoming the thing, is you can kind of mix the two. And if you're building a front-end site, you do maybe want to put a react component in your markdown for whatever reason, believe it or not.

Starr:
Those people are going straight to hell, Josh. There's no redemption for them.

Ben:
So when-

Starr:
No, you use Facebook's proprietary markdown in JavaScript to write your blog posts.

Ben:
You got to use the BB code, right? Remember those BB code tags?

Starr:
Oh, yeah.

Josh:
Oh, yeah. I forgot about that.

Starr:
I used to use straight ASCII codes, I just-

Ben:
Oh, so that reminds me, actually. Last week, we were talking about the old-school internet stuff, right?

Josh:
Yeah.

Ben:
Before the internet, and then forums on the internet.

Starr:
Mm-hmm (affirmative).

Ben:
And no lie, I ended up on a phpBB forum over the weekend. Someone sent a link-

Josh:
Nice.

Ben:
They were reading up on kayaks, and they linked to a kayak forum that was hosted, and I was like, "Wow, blast from the past!"

Josh:
I noticed the ones that are still around are those old-school, like non-tech-focused communities. There's one for Jeeps, too, because I have a Jeep Wrangler, and I've looked up stuff for Jeep parts and stuff, and there's all kinds of old-school forums about Jeeps out there. Yeah.

Ben:
So they still exist.

Josh:
They're still ...

Ben:
They're still cranking.

Josh:
They're serving their purpose, yeah.

Ben:
Still rendering those BB code tags.

Josh:
I want to start one.

Starr:
You should, you should. What would it be about?

Josh:
I mean, for us. Well, our Honeybadger or our FounderQuest community could be a phpBB. Why do we need a, whatever, Discourse or ... Why does it have to be fancy?

Starr:
I like it.

Josh:
It gets the job done.

Starr:
No, it needs to be a dial-up BBS, Josh. They have a house full of desktop computers.

Ben:
Yeah, we should do that. We don't even have to argue over which BBS software to run, because I'd be all for World War IV.

Starr:
Oh my gosh, yeah.

Josh:
I don't know if we can handle that, as a company.

Ben:
And then I wouldn't get any work done, because I'd be playing Trade Wars all day long.

Starr:
It sounds like an okay life, though.

Ben:
I guess.

Starr:
What was it? There was, I don't know if it was The WELL, or if it was some other big BBS ... You had your normal BBSs that were local, and then you had your BBSs that I think people had to pay it again too, and you attracted more of a international sort of following, I don't know, or maybe they were in big cities. And I saw a magazine interview with one of these people a long time ago, and they had a picture of their house, and it was just full of desktop computers, all running, instead of ...

Starr:
I don't know, maybe they didn't know about rackable servers, or maybe they just didn't have them or didn't ... I don't know, they couldn't afford them. Who knows? But the whole house full of desktop computers, and I remember thinking that was so cool, because I didn't know about rackable servers either, at the time.

Ben:
Well, one other thing that came out of the compliance work, that penetration test, was realizing that. And part of our pull request reviews, that we should be looking at the security checklist, as well. We check for code quality, naturally, and functionality, of course. But also, having a checklist of the top 10 vulnerabilities that you should keep in mind, in particular the OWASP Top 10, and Josh helped me out on that one. He created a little template for our pull requests in a repo. So now, right when you look at the pull requests, there's a list of all the top 10 things you should be looking for, like cross-site scripting or those other-

Josh:
Yeah.

Starr:
Oh, nice.

Ben:
... common issues, SQL injection.

Josh:
That's great. Every time you're opening a pull request now, it's just like you have a guy in a suit and tie bending over your shoulder and-

Ben:
It's like, "Tap, tap."

Josh:
"Don't forget the security." Yeah.

Starr:
Like, "Hello, Mr. Anderson." I guess with the issue with the markdown, we would've seen that checklist, been like, "Oh, maybe I should try inserting some malicious stuff." I'm not even sure that I would have caught that, though, even if I have been checking for it, because I wouldn't have ...

Starr:
Honestly, I never make JavaScript links, I wouldn't have even thought about making a JavaScript link. I might have tried inserting a JavaScript tag, and seen if it got stripped out, which it would have. But yeah, so I don't know, maybe we also need some ... Just like a test post, it has all the possible cross-site things, all the possible SQL injection things, and just ... You have to try posting this into any forum that you make.

Ben:
Mm-hmm (affirmative).

Josh:
Yeah.

Ben:
Or, hire a dedicated security person. That's what they do all day long, is mess with your stuff.

Starr:
Yeah.

Josh:
Yeah. Well, maybe this list in the pull request template will start to help us internalize some of these security things to look for, because I don't know about you all, but really the main one that I always ... that I might actually spot is usually the SQL injection stuff, because I've been ... I think my brain has been trained, so think about looking for places where input is coming in from the outside world.

Josh:
That must be a pattern that I'm already trained to look for. So maybe having the list of all the other things that you could potentially look for will, over time, help us to spot them more automatically.

Starr:
Yeah. That's a good thought. Well, on that note, we also started using Brakeman more regularly.

Josh:
Yes. Or you could hire a robot.

Ben:
Or hire a robot. And Brakeman's really good about finding SQL injections and things like that.

Josh:
Go figure, it does all the stuff that... Yeah. All the stuff that's easy for humans to do.

Starr:
It's an automated pen test tool.

Ben:
It's a static analysis tool. So it takes a look at your code, it reads the code and matches it to patterns that it knows could lead to vulnerabilities. And then flags code and says, hey, you should probably take a look at this and see. It would look for SQL injections. Like it would look for interpreted strings inside of the query, for example. Now that might not be an actual SQL injection because you might control that string, right? It may not be user input. So it's not necessarily 100% accurate, but it gives you a good check as to, hey, this is a concern you might want to take a look at that.

Josh:
Mm-hmm (affirmative). Kind of make a list and then flag them. Flag them off-

Ben:
Yeah.

Josh:
Yeah.

Ben:
And, by the way, that's one of those things that's on the check boxes of all this compliance questionnaires, the security questionnaire that you get. Do you use static analysis on your code base? Now if you use Brakeman you can check that off.

Josh:
So right now we're trialing both, just a GitHub action that runs Brakeman, which is an open source tool. It's like a command line thing, but you can put it in your CI. And works like a Linter, so it'll fail if it finds an issue. So we're testing just a plain GitHub action. And then we're also testing Code Climate, which has an integration that basically runs Brakeman for you, and then gives you a little UI on top of it that gives you that false positive list. You can check it off as a false positive, or you could check it off as like, this was an issue that I fixed. And really, it's just a UI on top of Brakeman, I think. But-

Starr:
Is Brakeman only for Rails apps?

Josh:
I believe so. It's Ruby, yeah.

Starr:
It's Ruby. I asked about Rails just because it's like a brake as a part of a train and rail things tend to be sort of like locomotive theme.

Josh:
Yeah. I think you're onto something there.

Ben:
It's definitely focused on Rails, for sure.

Josh:
Yeah.

Ben:
And then to top off the security stack, we also, for a long time have been using a Detectify. Which is an automated web penetration tool. It's not as sophisticated as an actual human going in and doing penetration tests, but it does a lot of common things that tries to attack your web app with SQL injection and fuzzing, and all that fun stuff. And we run that every week, and it usually reports nothing. But every now and then it says, oh, you should fix this little thing, or you might want to add this header kind of stuff.

Josh:
What about Collide? That's that's not for websites, but it's a security thing we implemented, right?

Ben:
Yeah. Yeah. Tell us about that, Josh.

Josh:
Well, you know more about it than I do. But basically it's like a root kit I installed on my computer that tells me if I have misconfigured something security-wise. I think, from my perspective, I give it ultimate trust and then it helps protect me from myself.

Ben:
Yeah. The thing I like about Collide is that not only does it monitor those things, like, are you using full disk encryption? Do you have your firewall turned on?

Josh:
If you have an un-encrypted SSH key, was a cool one. So a lot of those things you don't think about all the time.

Ben:
Yeah. Yeah. And then it reports that stuff to Slack. And so-

Josh:
And shames you.

Ben:
It shames you. It's like, hey, pay attention. My only beef with it is that it ends up making me update my Mac a little faster than I would otherwise. Because I don't like to reboot. But it's like, nope, you haven't applied the patches. You better do that. And it squawks at me.

Josh:
I know you can't handle it. You can't handle just letting it ride, so you have to do it immediately. I'll leave it until the end of the day or whatever. Just like, shut up.

Starr:
I've been impressed with Collide. I was a little bit nervous installing it. It feels weird. Just, I mean, I don't know the people at Collide. They could do whatever they want to my computer now. But yeah, it really is very thorough. You know how GitHub has ... like it lets you download a file with some recovery keys for your to two-factor authentication? I had forgotten to delete it after I printed it out, and it was basically two years old sitting in my downloads folder or something. And it found that. It felt a couple of them because I like, you know? Because when I transferred computers, I just took my whole desktop and put it in, I don't know, some shared thing. Copied it over. So I've got these things littered all over my disk, going several years back, and I didn't even know about it.

Josh:
Mm-hmm (affirmative).

Starr:
Yeah. I was impressed by that. And then it's like, oh, it's reading everything. It knows everything about me. It's like, what else does it know about me? Is it copying my journal entries?

Josh:
This is why you have a personal computer.

Ben:
It's cool stuff. Yeah.

Ben:
But the best part about the whole compliance process was all the things that I got to say do not apply to us. Like physical security and filing cabinets, and guests coming to your office. It's like, oh yeah, we are all work from home. It doesn't fly. Thanks very much. Skipped all that. So that was nice. I think that completes our security posture. We got the penetration test, we got the automated tests. We got checklists that we're going to use in our PRs. And got Collide watching our laptops.

Josh:
We've got firewalls. We've got-

Ben:
And of course, our production is just super locked down, right? Security groups and DPCs. And, it's fun. All the fun things you get to learn.

Josh:
Intrusion detection.

Ben:
Oh yeah. We got that now too.

Josh:
Yeah.

Starr:
Really?

Ben:
Yeah, yeah. We have a tool now that's watching for file changes and intrusion detection. I don't know how it does it. It's like magic. I don't know. But it's fun stuff.

Josh:
So don't touch those files.

Starr:
I'm not going to touch those files. Honestly, I'm a little bit terrified of touching anything in production now. Because there was a day back when it was like, things run once and it had a command line and I could log in. But now it's like, everything is so... I don't know, it's so perfectly working and spread out and organized. And I just feel like if I do the wrong thing, it's just all going to fall apart.

Ben:
I feel that way sometimes too. Yeah.

Starr:
Well, yeah good work. We didn't really have, I mean, we had a couple, like... In the pen test we had a couple things, a couple little things, a couple bigger things. But it wasn't just 100 pages of disaster. It was actually, I was like, okay, this is not the end of the world. This is okay. So, good work, because I know that doesn't just happen. I'm sure those PHP BDD people would have had much worse pen tests.

Ben:
No doubt.

Starr:
Is there anything else you all want to talk about, or you want to wrap it up?

Josh:
I was just going to say, do you know what the best feature of the Whirly Board is though?

Starr:
Oh, what is it?

Josh:
It's that you can stand. You can stand with it.

Starr:
Oh, look at that. Yeah.

Josh:
When you're not on it, you can just nonchalantly hold it. Kind of stand on one foot, look really cool while you're podcasting.

Starr:
It's like you bought the gold package of your student photos in the 90's.

Ben:
We need to have custom screen printing done on those things.

Josh:
They do. They do. You can get your logo on them. So we should have a Honeybadger one. Although I don't think you can do the full graphic, but I should totally email the guy, and ask if there's anything we could do. Because that would be sweet.

Starr:
There's something delightfully metaphorical about advertising your error monitoring product on this board where you're precariously balancing. And if you lose focus for one second, you'll just fall down and break your ankle.

Josh:
We might need to include some kind of liability waiver with this swag. I imagine.

Starr:
Well, no, I mean, we are... I don't know, we are in the EU Josh, so we have to be able to say that if you fall off, you have the right to sue us, and obligation to sue us. And we basically have the obligation to give you what you want.

Josh:
Yeah. Well maybe we can put it in our privacy policies or something. Or, well, I don't know what it would be. Our terms of service. Terms of use.

Ben:
There yo go.

Josh:
If you get our swag, it's-

Ben:
It's on you. It's on you.

Starr:
Yeah. Literally in the case of a shirt. Okay. So we need to wrap this up because that was a terrible joke and they're just getting worse.

Starr:
All right, this has been FounderQuest. If you want to give us a review on Apple podcasts, go for it. We love those. And if you want to write for us, I am still talking to writers and doing that thing. Go to our blog at honeybadger.io/blog, and look for the Write For Us link at the top. And that's it. See you guys later.
Copyright 2019 Honeybadger Industries LLC